,

Introduction

Session Management is fundamental to any web application. In the article we shall try to understand what goes on beneath the hood of HTTP headers for session management.

Session management in ASP.NET can be done in two ways:

Using Cookies

Encoding of URLs with Session ID

Let’s try to understand both these methods by analyzing the HTTP headers sent between the browser and Server.

Cookie-based Session Handling

To enable cookie-based session handling, make sure that web.config file of the web-application contains the following entry:

<sessionState mode="InProc" cookieless="false" timeout="20" />

Let’s say the browser makes a request to a server. This is the first request from the browser to the server. For e.g. for a request: http://localhost/WebApplication1/WebForm1.aspx the HTTP request header sent by the browser would be as shown below:

Let’s try to understand this header information. The first line shows the type of HTTP request (GET/POST/HEAD) etc, followed by the URL of the resource. The second line declares the MIME type which the browser is capable of handling. The third and fourth lines show the default language and encoding. The fifth line contains information about the browser. This information may be used by the server to identify the browser from where the request is coming. The sixth line contains the address of the server to which the request is made. The seventh line indicates that the browser would keep the connection alive for future requests. The response send back by the server would consist of a HTTP response header and response body. The response header would look something like this:

Let’s try to understand the line of our interest. The first line indicates the HTTP Status code returned by the Server. “200” Status code indicates that the request was successfully executed. The sixth line shows the cookie that’s send by the Server. This cookie contains the Session ID that is a unique ID generated by the server. The Set-Cookie header instructs the browser to store the cookie in its cache. Now for all further requests this cookie is send back to the server by the browser. For e.g. if the browser clicks on a button of the first page to make a request to WebForm2.aspx, the request header sent would be:

As we can see, the next request the browser makes, it passes the session ID as a cookie back to the Server. The server extracts this session ID from the cookie and maps it to the Session object on the Server side. Thus the session ID is passed to and fro in every request and response. This enables the Server to track a user on the Server side.

Cookie-less Session Handling

For cookie-less Session handling we need to set the ‘cookieless’ attribute to ‘true’ in web.config.

<sessionState mode="InProc" cookieless="true" timeout="20" />

Now let’s make a request, for e.g. http://localhost/WebApplication1/WebForm1.aspx and have a look at the request header. Note: Open a new instance of the web browser, so that the old session ID is used. The request header is as shown below. (Similar to earlier request header in cookie-based session handling)

The first response send by the server contains the HTTP status code: 302 This status code instructs the browser to redirect the request to a new URL specified by the Location attribute in the response header. So the browser makes a second request with the new URL. The Request header it sends would be as shown below:

It’s important to note that in the above response header, the Server has not passed any Session ID cookie to the browser. Now the big question is what happens for future requests. Suppose we have a relative URL in the first page pointing to a second page as shown below:

Now when ‘Webform2.aspx’ is requested, then the browser will see that it is a relative URL and automatically make a request for the URL: /WebApplication1/(bcgmybvma1y45czof4me3sq4)/WebForm2.aspx Hence the request header that the browser would send would be:

Here it is very important to note that cookie-less session handling would only work with relative URL’s . If the URL given in an absolute URL from the root, then the request would go as a fresh request and another session would be generated for it. For e.g. consider the following URL on a page:

As we can see, the session ID is a new one, different from one for WebForm1.aspx. Hence URL encoding/mangling cannot be used with full-path URL’s..

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Share

About the Author

Comments and Discussions

I went through the article.Thats for the article.Its a good one.
I have one doubt.In the article you have shown the code snippets like when sent to the server what is the code etc. Get and all.
Where can we view that details.I am not able to view them in view source.Can u plz help me in this regard.Thanks in advance

Here it is very important to note that cookie-less session handling would only work with relative URL's . If the URL given in an absolute URL from the root, then the request would go as a fresh request and another session would be generated for it.

Fair enough. But the examples you gave are:

<formid="form1"action=WebForm2.aspx> <!-- works well -->
<formid="form1"action=/WebApplication1/WebForm2.aspx> <!-- doesn't well -->

Now as far as I understand, both the URLs are relative. The first one being relative to the current web page's directory and second one relative to the root of the web server .

So is it that request for different directory will be considered as a new request? Waiting for a clarification.
I will also try to check it out in my free time.

Hello,
thank you for your article. I have read this and I have one question.

I am using cookie based session handling in a browser and i am storing different values in two session variables.
with each request (reload of the page) the content of this variables is changed properly anbd i can access the new content through php.

But if I use Cookie variables the content changes only one time later - as i understand because the request comes from the server to the browser and i am using php on the server to change the content of the cookie variables.

but why the session variable are different? why php can access their new value without reload?

Hey,
I want to get Set-Cookie: ASP.NET_SessionId=ll345q550ozqll45qithgi45; path=/ in the response. I have added the lines to the webconfig, also made sure the ASP state service is started but I do not get any session ID.

I am trying to implement Time Zone Concept in my web project. I have one data file where I kept all data regarding Time zone, and access key to this record is time zone abbreviation. Like “IND”,”CTS” etc.

Now I am facing a problem, how to get this abbreviation from client side? And how to get setting of client whether he has set daylight saving in his computer or not?

I think i have a rough suggestion as to how u can go about coding for ur need...

Ur requirement can be fulfilled using Javascript and Ajax...

What u need to do is write a script thru which u'll be able to fetch the current date and time of the client machine.

Using this value, pass it to an AJAX server side function, where u'll be able to fetch the server's date and time.

Write another function to find out the difference ... Additionally, for the daylight savings.... that logic too can be included into this function.. coz we can set the time period when the daylight savings change for each time zone....

using these facts... v can calculate the time zone and set it as the return value for the Ajax function...

I know that this is like a lecture.. as i haven't written any code for this....

but i guess u must have understood... the theory part of it....

i'll post u the code ASAP.. but in the meantime please do try it out....

From the request header we will get IP address.
Ip address will be distinct across the internet.
There will be some webservice to provide IPaddress - time zone mapping.. This is something we need to search and find out....

Hi Aaryan,
Very good morning and thanks for your kind reply.. but as I say there might be strong possibility that 3-4 time zone shares same GMTOffset so we can not believe on GMTOffset to determine its time zone name or abbrevaition. And among them there might be possibility that 1 time zone follwos daylight saving. In that case our conversion may be wrong. So we can not work on JavaScript gettimezoneoffset function.

I have a web service that creates session data which is used by a web application.
This application contains a flash file which also talks to the web service.
Because flash has its own session management a new session is created and data
available to the rest of the application is not available to flash.
I am trying to work out if there is a way to associate the two sessions (neither
of which are browser based, flash is flash whatever that is and the application
simulates the browser behaviour with a CookieContainer assigned to the web service).
I can pass a SessionID to flash which can use it to recreate the relevant data
in the new session, however I'd rather do something a little more seamless.
Any thoughts/ideas out there?

Colin Angus Mackay wrote:Did you use the code project template for your article?

Narendra Naidu wrote:
NO, I used the Article Submission Wizard

Regards,
naren

----------------------------------------------------------------
I speak for myself, not my company.
Nobody will admit they agree with me, anyway.

Response:

You should download the template[^] file. Write the HTML for your article using this template then copy and paste into the article submission wizard. This will ensure that your article is property formatted and has the same "user interface" as the rest of the Code Project website. This makes it much easier to read.